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TITLE OF THE INVENTION 

ENCRYPTION METHOD , ENCRYPTION APPARATUS , DECRYPTION 
METHOD, AND DECRYPTION APPARATUS 

This application is based on an application No. 
11-245277 filed in Japan, the content of which is hereby 
incorporated by reference. 

BACKGROUND OF THE INVENTION 

(1) Field of the Invention 

The present invention relates to a cryptographic 
technique that encrypts a plaintext to generate a 
ciphertext and then decrypts the ciphertext to obtain the 
original plaintext . 

(2) Description of the Related Art 

In recent years, it is becoming increasingly common 
to encrypt important information before transmission to 
prevent third parties from knowing its content. More 
secure forms of encryption are therefore being sought. 

Japanese Laid-Open Patent Application No. Hll-7239 
teaches a data encryption apparatus that aims to achieve 
more secure encryption. 

This data encryption apparatus divides a plaintext 
received from outside into a plurality of plaintext blocks 
and encrypts each plaintext block using key data to 
generate ciphertext blocks. When encrypting the first 



plaintext block, this data encryption apparatus uses key 
data obtained from outside the apparatus. For the second 
and following plaintext blocks, the data encryption 
apparatus updates the key data using the ciphertext block 
generated when encrypting the preceding plaintext block, 
and encrypts the present plaintext block using this updated 
key data. 

The data encryption apparatus encrypts each 
plaintext block in the following way. The data encryption 
apparatus includes a subkey generating unit and first to 
eighth encrypting units. The subkey generating unit uses 
the key data to generate first to eighth subkeys. Each 
of these first to eighth subkeys are different. The first 
encrypting unit generates a first intermediate block from 
a plaintext block using the first subkey. The second 
encrypting unit generates a second intermediate block from 
the first intermediate block using the second subkey. The 
third to seventh encrypting units similarly generate third 
to seventh intermediate . blocks from the second to sixth 
intermediate blocks using the third to seventh subkeys. 
The eighth encrypting unit generates a ciphertext block 
from the seventh intermediate block using the eighth 
subkey. 

Each plaintext block is encrypted using key data that 
differs for each plaintext block. This makes it difficult 
to accumulate pairs of plaintexts that have been encrypted 
using the same key and the resulting ciphertexts. As a 




result, the security of the encryption against known 
plaintext attacks, such as differential cryptanalysis and 
linear cryptanalysis, is improved. 

However, the subkey generating unit in this data 
5 encryption apparatus has to generate many different 

subkeys every time a plaintext block is encrypted. This 
has the drawback of lowering the speed of the cryptographic 
processing . 

O 10 SUMMARY OF THE INVENTION 

51 The present invention was conceived in view of the 

E e I 

ro stated problem and has an object of providing an encryption 

U: apparatus that performs cryptographic processing which is 

s fast and has a high degree of security against known 

2 15 plaintext attacks. The invention also aims to provide an 
encryption method, a decryption apparatus, a decryption 

^ method, and a recording medium that stores an encryption 

las? 

program and/or decryption program, each of which has the 
same effect. 

20 The stated object can be achieved by an encryption 

method for use by an encryption apparatus that encrypts 
plaintext data composed of a plurality of blocks, the 
encryption method comprising: a block obtaining step for 
obtaining the plaintext data one block at a time in order 

25 from outside the encryption apparatus; a selecting step 
for selecting either a first mode or a second mode for a 
current block obtained in the block obtaining step 
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according to how many blocks have been obtained; a key 
generating step for generating (1) a first group composed 
of a predetermined number n of different subkeys when the 
first mode is selected, and (2) a second group composed 
5 of less than n different subkeys when the second mode is 
selected; and an encrypting step for encrypting the current 
block by subjecting the current block to n conversion 
processes in order, wherein in the first mode, each of the 
n conversion processes is associated with a different 
C 10 subkey in the first group and is performed using the 
6^ associated subkey, and in the second mode , the n conversion 

ro processes are associated with subkeys in the second group 

i s c 

H= and are each performed using the associated subkey. 

W 

E In the stated method, fewer subkeys are generated in 

S 15 the second mode than in the first mode. This suppresses 
Iri decreases in processing speed caused by the generation of 

S subkeys during the encryption of blocks . 

Here, the selecting step may select (i) the first mode 
for blocks whenever a number of blocks that have been 
20 obtained is equal to a multiple of a predetermined value, 
and (ii) the second mode for all other cases. 

In the stated method, the first mode is only selected 
for certain blocks in the plaintext data. The second mode 
is selected for all other blocks. This means that the 
25 second mode is selected more often that the first mode, 
and that the decreases in the cryptographic processing 
speed for the entire plaintext data composed of the blocks 
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can be suppressed. 

Here, the encryption apparatus may include an initial 
value storing means for storing an initial value, the 
encrypting step may encrypt the current block to generate 

5 a ciphertext block having a predetermined length, and 
the key generating step may generate the first group using 
the initial value in the first mode and generate the second 
group using the initial value and the ciphertext block most 
recently generated by the encrypting step in the second 

10 mode . 

In the stated method, each plaintext block is 
encrypted using different key data. This makes it 
difficult for third parties to accumulate pairs of 
plaintexts encrypted using the same key and the resulting 

15 ciphertexts. This increases the security against known 
plaintext attacks, such as differential cryptanalysis and 
linear cryptanalysis . 

The stated object can be achieved by a decryption 
method for use by a decryption apparatus that decrypts 

20 ciphertext data in ciphertext block units, the decryption 
method including: a block obtaining step for obtaining the 
ciphertext data one ciphertext block at a time in order 
from outside the decryption apparatus; a selecting step 
for selecting either a first mode or a second mode for use 

25 with a current ciphertext block obtained in the block 
obtaining step according to how many ciphertext blocks have 
been obtained; a key generating step for generating 



(1) a first group composed of a predetermined number n of 
different subkeys when the first mode is selected and 

(2) a second group composed of less than n different subkeys 
when the second mode is selected; and a decrypting step 

5 for decrypting the current ciphertext block by subjecting 
the current ciphertext block to n conversion processes in 
order, wherein in the first mode, each of the n conversion 
processes is associated with a different subkey in the 
first group and is performed using the associated subkey, 
10 and in the second mode, the n conversion processes are 
associated with subkeys in the second group and are each 
performed using the associated subkey. 

In the stated method, fewer subkeys are generated in 
the second mode than in the first mode. This suppresses 
1 15 decreases in processing speed caused by the generation of 
subkeys during the decryption of ciphertext blocks. 

The stated object can also be achieved by a decryption 
method for use by a decryption apparatus that decrypts 
ciphertext data in ciphertext block units, the decryption 
20 method comprising: a block obtaining step for obtaining 
the ciphertext data one ciphertext block at a time in order 
from outside the decryption apparatus; a selecting step 
for selecting either a first mode or a second mode for use 
with a current ciphertext block obtained in the block 
25 obtaining step according to how many ciphertext blocks have 
been obtained; a key generating step for generating 
(1) a first group composed of a predetermined number n of 
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different subkeys when the first mode is selected and 
(2) a second group composed of less than n different subkeys 
when the second mode is selected; and a decrypting step 
for decrypting the current ciphertext block by subjecting 
the current ciphertext block to n conversion processes in 
order, wherein in the first mode, each of the n conversion 
processes is associated with a different subkey in the 
first group and is performed using the associated subkey, 
and in the second mode, the n conversion processes are 
associated with subkeys in the second group and are each 
performed using the associated subkey. 

In the stated method, the first mode is only selected 
for certain blocks in the plaintext data. The second mode 
is selected for all other blocks . This means that the 
second mode is selected more often that the first mode and 
that the decreases in the decryption processing speed for 
the entire ciphertext data composed of the ciphertext 
blocks can be suppressed. 

Here, the decryption apparatus may include an initial 
value storing means for storing an initial value, 
the key generating step generating the first group using 
the initial value in the first mode and generating the 
second group using the initial value and the ciphertext 
block obtained immediately before the current ciphertext 
block in the second mode. 

In the stated method, each ciphertext block is 
decrypted using different key data. This makes it 



difficult for third parties to accumulate pairs of 
plaintexts encrypted using the same key and the resulting 
ciphertexts. This increases the security against known 
plaintext attacks, such as differential cryptanalysis and 
linear cryptanalysis . 

As described above, the present invention achieves 
a similar level of security to the described conventional 
technology while improving the speed of the cryptographic 
processing. The invention suited to processes such as the 
secret communication of image and other information in real 
time. With the current demand for improvements in 
multimedia technology, this makes the effect of the 
invention especially significant. 

BRIEF DESCRIPTION OF THE DRAWINGS 

These and the other objects, advantages and features 
of the invention will become apparent from the following 
description thereof taken in conjunction with the 
accompanying drawings which illustrate a specific 
embodiment of the invention. 

In the drawings : 

FIG. 1 is a block diagram showing the construction 
of an encrypted communication system 5 that is a preferred 
embodiment of the present invention; 

FIG. 2 is a block diagram showing the construction 
of the data encrypting unit 10 in the transmission 
apparatus 1; 
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FIG. 3 is a block diagram showing the constructions 
of the encrypting unit 100 and the subkey data generating 
unit 101; 

FIG. 4 is a block diagram showing the construction 
5 of the data randomizing unit 301; 

FIG. 5A and FIG. 5B are conceptual drawings showing 
which of the plurality of sets of subkey data generated 
by the subkey data generating unit 101 is used by each of 
the first to sixteenth encrypting units of the encrypting 
10 unit 100, with FIG. 5A showing the case where the subkey 
data generating type is A and FIG. 5B showing the case where 
the subkey data generating type is B; 

FIG. 6 shows the correspondence between the count 
a value, the input key data and the subkey data generating 

S 15 type; 

in FIG. 7 is a block diagram showing the construction 

S of the data decrypting unit 20 in the reception apparatus 

2; 

FIG. 8 is a flowchart showing the overall operation 
20 of the transmission apparatus 1; 

FIG. 9 is a flowchart showing the operation of the 
data encrypting unit 10 of the transmission apparatus 1; 

FIG. 10 is a flowchart showing the operation of the 
counter unit 105 in the data encrypting unit 10; 
25 FIG. 11 is a flowchart showing the operation of the 

register unit 104 in the data encrypting unit 10; 

FIG. 12 is a flowchart showing a former part of the 
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operation of the subkey data generating unit 101 in the 
data encrypting unit 10; 

FIG. 13 is also a flowchart showing a latter part of 
the operation of the subkey data generating unit 101 in 
the data encrypting unit 10; and 

FIG. 14 is a flowchart showing the operation of the 
data randomizing unit 301 in the subkey data generating 
unit 101. 

DESCRIPTION OF THE PREFERRED EMBODIMENT 

The following describes an encrypted communication 
system 5 according to a preferred embodiment of the present 
invention . 

1 . Cons-brucblon of the Encrypted Communication System 5 

As shown in FIG. 1/ the encrypted communication 
system 5 is constructed of a transmission apparatus 1^ a 
reception apparatus 2 and a transfer path 3. The transfer 
path 3 connects the transmission apparatus 1 and the 
reception apparatus 2 . 

The transmission apparatus 1 and the reception 
apparatus 2 are each provided beforehand with the same 
encryption key data EK. The transmission apparatus 1 
encrypts the plaintext data P using the encryption key data 
EK to generate the ciphertext data C, and then transmits 
the generated ciphertext data C to the reception apparatus 
2 via the transfer path 3 . The reception apparatus 2 
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receives this ciphertext data C, decrypts the ciphertext 
data C using the encryption key data EK, and so generates 
the decrypted text data D. Here, the decrypting performed 
by the reception apparatus 2 is the inverse of the 
5 encrypting performed by the transmission apparatus 1, so 
that the decrypted text data D generated by the decrypting 
is the same as the plaintext data P. 

1.1 Constructions of the Transmission Apparatus 1 and the 
B 10 Reception Apparatus 2 

: n 

-As? 

(1) Construction of the Transmission Apparatus 1 

As shown in FIG. 1, the transmission apparatus 1 is 
constructed of a plaintext data storing unit 12, an 
encryption key data storing unit 13, a data encrypting unit 
S 15 10, and a transmitting unit 11. 

The plaintext data storing unit 12 stores the 
plaintext data P beforehand. This plaintext data P is 
digital data that includes at least 64 bits, and can be 
digitally encoded audio or image information, for example. 
20 The encryption key data storing unit 13 stores 64-bit 

encryption key data EK in advance . The encryption key data 
EK is decided in advance for both the transmission 
apparatus 1 and the reception apparatus 2 . 

The data encrypting unit 10 reads the plaintext data 
25 P from the plaintext data storing unit 12 and the encryption 
key data EK from the encryption key data storing unit 13. 
The data encrypting unit 10 then encrypts the plaintext 
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data P using the encryption key data EK to generate the 
ciphertext data C. The data encrypting unit 10 outputs 
the resulting ciphertext data C to the transmitting unit 
11. This data encrypting unit 10 is described in detail 
later in this specification. 

The transmitting unit 11 receives the ciphertext data 
C, performs a parallel-to-serial on the ciphertext data 
C, and then modulates and amplifies the converted data to 
generate signals. The transmitting unit 11 transmits 
these signals via the transfer path 3 to the reception 
apparatus 2 . 

(2) Construction of the Reception Apparatus 2 

As shown in FIG. 1, the reception apparatus 2 is 
constructed of a decrypted text data, storing unit 22, an 
encryption key data storing unit 23, a data decrypting unit 
20, and a receiving unit 21. 

The receiving unit 21 receives signals transmitted 
by the transmitting unit 11 of the transmission apparatus 
1 via the transfer path 3, demodulates the signals, and 
performs a serial-to-parallel conversion to obtain the 
ciphertext data C. The receiving unit 21 outputs this 
ciphertext data C to the data decrypting unit 20. 

The encryption key data storing unit 23 stores 64-bit 
encryption key data EK in advance. This encryption key 
data EK is the same as that stored by the encryption key 
data storing unit 13 in the transmission apparatus 1. 
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The data decrypting unit 2 0 receives the ciphertext 
data C and reads the encryption key data EK from the 
encryption key data storing unit 23. The data decrypting 
unit 20 decrypts the ciphertext data C using the encryption 
5 key data EK to generate the decrypted text data D. The 
data decrypting unit 20 writes this decrypted text data 
D into the decrypted text data storing unit 22. The 
decrypting performed by the data decrypting unit 2 0 is the 
inverse of the encrypting performed by the data encrypting 
2 10 unit 10. This means that the decrypted text data D is the 
J^: same as the original plaintext data P. This data 

2 decrypting unit 20 is also described in detail later in 

H= this specification . 

m 

- The decrypted text data storing unit 22 stores the 

15 decrypted text data D. 

1.2 Construction of the Data Encrypting Unit 10 

As shown in FIG. 2, the data encrypting unit 10 is 
constructed of an encrypting unit 100, a subkey data 
20 generating unit 101, a logical XOR unit 102, a data 

converting unit 103, a register unit 104, a counter unit 
105, a subkey data generation control unit 106, a register 
control unit 107, a block dividing unit 108, a block 
combining unit 109, a key obtaining unit 110, and a key 
25 storing unit 111. 
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(1) Block Dividing Unit 108 

The block dividing unit 108 reads the plaintext data 
P from the plaintext data storing unit 12 and divides the 
plaintext data P in block units measured from the start 
5 of the plaintext data P to generate a plurality of plaintext 
blocks Pt (where t==0,l,2 ....)• Each plaintext block Pt 
is 64 bits long. The block dividing unit 108 outputs these 
plaintext blocks Pt sequentially to the encrypting unit 
100. After outputting all of the plaintext blocks Pt, the 
10 block dividing unit 108 outputs information showing that 
f^. output has been completed to the block combining unit 109. 
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(2) Key Obtaining Unit 110 

The key obtaining unit 110 reads the encryption key 
data EK from the encryption key data storing unit 13 and 
writes the read encryption key data EK into the key storing 
unit 111. 



(3) Key Storing Unit 111 
20 The key storing unit 111 stores the encryption key 

data EK. 



(4) Encrypting Unit 100 

As shown in FIG. 3^ the encrypting unit 100 includes 
25 a first encrypting unit 100a, a second encrypting unit 
100b, .... a fifteenth encrypting unit 100c and a sixteenth 
encrypting unit lOOd. 
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The first encrypting unit 100a obtains a plaintext 
block Pt from the block dividing unit 108 and first subkey 
data SKo from the subkey data generating unit 101. The 
first subkey data SKq is 32 bits long . The first encrypting 

5 unit 100a encrypts the obtained plaintext block Pt using 
the first subkey data SKo to generate a first intermediate 
block. The first encrypting unit 100a outputs this first 
intermediate block to the second encrypting unit 100b. 

The encryption performed by the first encrypting unit 

10 100a is the data encryption part of a FEAL (Fast Data 
Encipherment Algorithm) encryption method, which is a 
well-known block encryption technique. 

The second to fifteenth encrypting units 
respectively receive an intermediate block from a 

15 preceding encrypting unit in the first to fourteenth 

encrypting units and second to fifteenth subkey data SKi 
to SKi4 from the subkey data generating unit 101. Each of 
the second to fifteenth sets of subkey data SKi to SK14 is 
32 bits long. The second to fifteenth encrypting units 

20 respectively encrypt the received intermediate block using 
the second to fifteenth subkey data SKi to SK14 to generate 
second to fifteenth intermediate blocks which are 
respectively outputted to the third to sixteenth 
encrypting units . 

25 The sixteenth encrypting unit lOOd obtains the 

fifteenth intermediate block from the fifteenth encrypting 
unit 100c and obtains the sixteenth subkey data SK15 from 
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the subkey data generating unit 101. The sixteenth subkey 
data SKi5 is also 32 bits long. The sixteenth encrypting 
unit lOOd encrypts the obtained intermediate block using 
the sixteenth subkey data SK15 to generate the ciphertext 
block Cf 

Equation 7 

Ct = Enc(Pt,SKOt) 

Here, the expression Enc(Pt,SKOt) shows that the 
plaintext block Pt is encrypted using a group SKOt (SKq to 
SK15) of subkey data that has been generated as part of the 
t^^ encrypting process. 

The sixteenth encrypting unit lOOd outputs the 
ciphertext block Ct it has generated to the block combining 
unit 109. 

When the generated ciphertext block Ct has been 
outputted to the block combining unit 109, the encrypting 
unit 100 outputs information showing that the encryption 
of one plaintext block has been completed to the counter 
unit 105. 

(5) Register Unit 104 

The register unit 104 includes regions for storing 
a 64-bit initial value IV and 64-bit stored data ROf The 
value of the stored data ROt is set at the initial value 
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IV in advance . 

The register unit 104 receives the ciphertext block 
Ct from the sixteenth encrypting unit lOOd. 

The register unit 104 receives a control signal from 
5 the register control unit 107. When the received control 
signal is "0"and a ciphertext block Ct is received from 
the sixteenth encrypting unit lOOd, the register unit 104 
stores the ciphertext block Ct as the stored data ROf When 
the received control signal is "1", the register unit 104 

0 10 reads the initial value IV and stores the initial value 

01 IV as the stored data ROf 

£ . ; 

ffl Putting this another way, suppose that T represents 

01 

u a predetermined cycle and that n is 0,1 .... When the 

r (T*n)^^ plaintext block Pt (where t=T*n) block is being 

S 15 encrypted, the register unit 104 resets the stored value 
ROt using the initial value IV that is set in advance. The 
value "T" is set in advance and is described later in this 
specification . When a plaintext block that is not a (T*n) 
plaintext block (which is to say a plaintext block Pt where 
20 t^T*n) is encrypted, the received ciphertext block Ct is 
stored as the stored data ROt. 

(6) Data Converting Unit 103 

The data converting unit 103 reads the 64-bit stored 
25 data ROt from the register unit 104. When the encrypting 
unit 100 encrypts the t^^ plaintext block Pt, the data 
converting unit 103 reads the 64-bit data ROt shown below. 
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Equation 1 



When t9tT*k (where k=0,l, ...) 

ROt =Ct-i 

Equation 2 

When t=T*k (where k=0,l, ...) 

ROt =IV 

The data converting unit 103 subjects the read stored 
data ROt to a predetermined data conversion f to generate 
SOf 



Equation 3 

SOt =f (ROt) 

In this specification, the expression f (X) 
represents the result of subjecting the input data X to 
the predetermined data conversion f . This predetermined 
data conversion f is a 13-bit rotated shift toward the MSB 
(most significant bit) of 64-bit data. 

After this, the data converting unit 103 outputs the 
64-bit data SOt that is generated by the conversion to the 
logical XOR unit 102. 
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(7) Logical XOR Unit 102 

The logical XOR unit 102 receives the 64-bit data SOt 
from the data converting unit 103 and reads the encryption 
key data EK from the key storing unit 111, 
5 The logical XOR unit 102 takes an XOR for each bit 

in the 64-bit data SOt and a corresponding bit in the 
encryption key data EK and so generates the 64-bit input 
key data IKOf 

10 Equation 4 
?1 IKOt =SOt( + )EK 



Note that in the above equation^ the symbol " ( + ) " is 
used to denote an XOR operation. 
15 The logical XOR unit 102 outputs the input key data 

IKOt it has generated to the subkey data generating unit 
101. 



(8) Subkey Data Generating Unit 101 

20 The subkey data generating unit 101 receives a 

control signal from the subkey data generation control unit 
10 6 and the input key data IKOt from the logical XOR unit 
102. This control signal shows whether or not a (T*n)^^ 
(where n=0,l^ ....) plaintext block is being encrypted. 

25 Such encrypting happens once in every predetermined cycle 
T. In the present example, the predetermined cycle T is 
set at 2^° encryption operations. 
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The subkey data generating unit 101 is capable of two 
(type A and type B) subkey generating processes. The type 
A subkey generating process has a heavy processing load 
while the type B has a light processing load. In accordance 

5 with the received control signal, the subkey data 

generating unit 101 selects one of the two types of subkey 
generating processes and perforins the selected process 
using the input key data IKOt to generate sixteen sets of 
32-bit subkey data (i.e., the first to sixteenth first 

10 subkey data SKq to SK15) . 



Equation 5 
^ When t9tT*k(k=0,l, . . .) 

SKOt=KGB(IKOt) 
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Here, the expression KGB(X) refers to sixteen sets 
of subkey data generated from the input key data IKOt by 
the type B subkey data generating process. These sixteen 
sets of subkey data are composed of two types of subkey 
20 data. 

Equation 6 

When t=T*k (k=0, 1, . . . ) 

SKOt =KGA(IKOt) 

25 The expression KGA(X) represents the sixteen sets of 

subkey data that are generated by the type A subkey 
generating process. Each of these sixteen sets of subkey 
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data is different from the others • 

The subkey data generating unit 101 outputs sixteen 
sets of subkey data SKo to SK15 it has generated to the first 
to sixteenth encrypting units of the encrypting unit 100. 

FIG. 6 shows the relationship between the count value 
of the counter unit 105, the input key data received by 
the subkey data generating unit 101, and the type (A or 
B) of subkey generating process used by the subkey data 
generating unit 101 . When the count value is "0", the input 
key data is generated using the encryption key data EK and 
the initial value IV, and the type A subkey generating 
process is used. Conversely, when the count value is "1" 
to "2^°-l", the input key data is generated using the 
encryption key data EK and the ciphertext block generated 
by the preceding encrypting process, and the type B subkey 
generating process is used. 

As shown in FIG. 3, the subkey data generating unit 
101 is constructed of the data randomizing unit 301, the 
randomized data storing unit 302, and the number of stages 
control unit 303. 

(a) Data Randomizing Unit 301 

The data randomizing unit 301 receives 64-bit data 
from the number of stages control unit 303, performs a 
predetermined data randomizing process on this data, and 
so generates 32-bit subkey data SK and 64-bit randomized 
data. The data randomizing unit 301 outputs the 32-bit 
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subkey data SK to the randomized data storing unit 302 and 
the generated 64-bit randomized data to the number of 
stages control unit 303. 

As shown in FIG. A, the data randomizing unit 301 is 
constructed of a separating unit 301a, a logical XOR unit 
301b, a data jumbling unit 301c, and a combining unit 301d. 

Separating Unit 301a 

The separating unit 301a receives 64-bit data from 
the number of stages control unit 303 and separates this 
data into the upper 32 bits (hereafter called "data Al") 
and the lower 32 bits (hereafter called "data AO") . The 
separating unit 301a outputs the data Al to the logical 
XOR unit 301b and the data jumbling unit 301c, and the data 
AO to the combining unit 301d and the data jumbling unit 
301c. 

Data Jumbling Unit 301c 

The data jumbling unit 301c receives the data AO and 
the data Al from the separating unit 301a, takes an 
exclusive OR for each bit in the data AO and the data Al, 
and so obtains 32-bit data. The data jumbling unit 301c 
separates this data into four sets of 8-bit data, performs 
a predetermined substitution for each set of eight-bit data 
and so generates four sets of 8-bit data. The 
predetermined substitution referred to here is performed 
using a table that stores 256 8-bit values that have been 
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assigned address values from "0" to "255". 

After this, the data jumbling unit 301c generates 
32-bit data by combining the four sets of 8-bit data it 
has generated. The data jumbling unit 301c transposes a 
5 specific bits in this 32-bit value to generate the new 
32-bit data CI which it outputs to the logical XOR unit 
301b. 

Logical XOR Unit 301b 
g 10 The logical XOR unit 301b receives the data Al from 

\\ the separating unit 301a and the 32-bit data CI from the 

J data jumbling unit 301c. The logical XOR unit 301b takes 

^ a logical XOR for each bit in the data Al and the data CI 

to generate the 32-bit subkey data BO. The logical XOR 
Q 15 unit 301b then outputs this subkey data BO to the randomized 
n data storing unit 302 and the combining unit 301d. 

Combining Unit 301d 

The combining unit 301d receives the data AO from the 

20 separating unit 301a and the subkey data BO from the logical 
XOR unit 301b. The combining unit 301d combines the data 
AO and the subkey data BO to generate 64-bit randomized 
data that has the data AO as the upper 32 bits and the subkey 
data BO as the lower bits. The combining unit 301d outputs 

25 this 64-bit randomized data to the number of stages control 
unit 303. 

23 
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(b) Number Of Stages Control Unit 303 

The number of stages control unit 303 operates as 
described below to have the data randomizing unit 301 
repeat the data randomizing process. 

5 The number of stages control unit 303 is equipped with 

a region for storing (1) a processing iteration number 
showing a total number of times the data randomizing unit 
301 has performed the randomizing process and (2) a maximum 
number of iterations. 

10 The number of stages control unit 303 receives the 

input subkey data from the logical XOR unit 102 or the 
64-bit randomized data from the data randomizing unit 301. 
The number of stages control unit 303 also receives a 
control signal from the subkey data generation control unit 

15 10 6. When the received control signal is "1"^ the maximum 
number of iterations is set at "16". When the received 
control signal is "0", the maximum number of iterations 
is set at "2". On receiving a control signal, the number 
of stages control unit 303 resets the processing iteration 

20 number to "0". 

The number of stages control unit 303 receives the 
input key data or randomized key data, adds one to the 
processing iteration number and compares the processing 
iteration number with the maximum number of iterations . 

25 If the processing iteration number is equal to the maximum 
number of iterations, the number of stages control unit 
303 outputs the input key data or randomized key data it 
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has received to the data randomizing unit 301 to complete 
the repeated processing. If the processing iteration 
number is below the maximum number of iterations^ the 
number of stages control unit 303 outputs the input key 

5 data or randomized key data it has received to the data 
randomizing unit 301 and has another iteration of the 
repeated processing performed. 

Note that during the first iteration of the repeated 
processing, the number of stages control unit 303 outputs 

10 the input key data it has received to the data randomizing 
unit 301. In the second and following iterations, the 
number of stages control unit 303 outputs the randomized 
data it has received to the data randomizing unit 301. 

As described above, the number of stages control unit 

15 303 controls the data randomizing unit 301 to have it 
perform the randomizing process twice or sixteen times. 
When a (T*n)^^ (where n=0,l, . . .) plaintext block is being 
encrypted, the repeated processing has the data 
randomizing unit 301 output sixteen sets of subkey data 

20 to the randomized data storing unit 302. However, in all 
other cases the data randomizing unit 301 outputs two sets 
of subkey data to the randomized data storing unit 302. 

(c) Randomized Data Storing Unit 302 
25 The randomized data storing unit 302 receives a 

control signal from the subkey data generation control unit 
106. The randomized data storing unit 302 also 

25 
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sequentially receives sixteen sets of subkey data or two 
sets of subkey data from the data randomizing unit 301. 
The sixteen sets of subkey data are respectively numbered 
SKo to SKi5^ while the two sets of subkey data are 

5 respectively numbered SKo and SKi. After receiving such 
data, the randomized data storing unit 302 stores either 
the sixteen sets of subkey data SKq to SK15 or the two sets 
of subkey data SKq and SKi, 

As shown in FIG. 5A, when the received control signal 

10 is "1", the randomized data storing unit 302 reads the 
stored sets of subkey data SKq to SK15 and outputs these 
sets of subkey data SKq to SK15 to the first to sixteenth 
encrypting units . 

As shown in FIG. 5B, when the received control signal 

15 is "0";. the randomized data storing unit 302 reads the 
stored sets of subkey data SKq and SKi and then sets 
SKi4=SKi2=SKio=SK8=SK6=SK4=SK2=SKo and 

SKi5=SKi3=SKii=SK9=SK7=SK5=SK3=SKi. Having done so, the 
randomized data storing unit 302 outputs the sets of subkey 
20 data SKo to SK15 to the first to sixteenth encrypting units. 

The sets of subkey data SKo to SK15 are respectively 
used as the first to sixteenth sets of subkey data. 

(9) Counter Unit 105 
25 The counter unit 105 is equipped with an internal 

region for storing a count value. This count value is 
initialized using the initial value "0". 
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The counter unit 105 receives completion information 
from the encrypting unit 100. This information shows that 
the encryption of one plaintext block is complete. On 
receiving the completion information, the counter unit 105 
adds "1" to the count value. When adding "1" to a count 
value that is already "2^° - 1"/ the counter unit 105 resets 
the count value to "0". 

(10) Subkey Data Generation Control Unit 106 

The subkey data generation control unit 106 reads the 
count value from the counter unit 105 . When the count value 
is "0"y the subkey data generation control unit 106 outputs 
a control signal with the value "1" to the subkey data 
generating unit 101. When the count value is not "0", the 
subkey data generation control unit 106 outputs a control 
signal with the value "0". 

(11) Register Control Unit 107 

The register control unit 107 also reads the count 
value from the counter unit 105. When the count value is 
"0", the register control unit 107 outputs a control signal 
with the value "1" to the register unit 104 . When the count 
value is not "0", the register control unit 107 outputs 
a control signal with the value "0" to the register unit 
104. 

(12) Block Combining Unit 109 
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The block combining unit 109 sequentially receives 
the ciphertext blocks Ct from the encrypting unit 100 and 
receives information showing the completion of output from 
the block dividing unit 108. 

On receiving information showing the completion of 
output, the block combining unit 109 combines all of the 
received ciphertext blocks Ct (t=0, 1,2, . . . . ) in the order 
it received them to generate the ciphertext data C. The 
block combining unit 109 outputs this ciphertext data C 
to the transmitting unit 11, 

1.3 Construction of the Data Decrypting Unit 20 

As shown in FIG. 1, the data decrypting unit 2 0 
includes a decrypting unit 200, a subkey data generating 
unit 201, a logical XOR unit 202, a data converting unit 

203, a register unit 204, a counter unit 205, a subkey data 
generation control unit 206, a register control unit 207, 
a block dividing unit 208, a block combining unit 209, a 
key obtaining unit 210, a key storing unit 211. 

The subkey data generating unit 201, the logical XOR 
unit 202, the data converting unit 203, the register unit 

204, the counter unit 205, the subkey data generation 
control unit 206, the register control unit 207, the key 
obtaining unit 210, and the key storing unit 211 of the 
data decrypting unit 20 respectively have the same 
constructions as the subkey data generating unit 101, the 
logical XOR unit 102, the data converting unit 103, the 
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register unit 104, the counter unit 105, the subkey data 
generation control unit 106, the register control unit 107, 
the key obtaining unit 110, and the key storing unit 111 
of the data encrypting unit 10. Accordingly, the 
5 following explanation will only focus on the differences 
between the data decrypting unit 20 and the data encrypting 
unit 10. 



(1) Block Dividing Unit 208 
10 The block dividing unit 208 receives the ciphertext 

Jtl data C from the receiving unit 21 and divides the received 

S ciphertext data C into a plurality of ciphertext blocks 

^ Ct (where t=0,l,2, ....) Each ciphertext block Ct is 64 

L. bits long. The block dividing unit 208 outputs each 

p 15 ciphertext block Ct it generates to the decrypting unit 
m 200 in order . 

□ The block dividing unit 208 also sequentially outputs 

the preceding ciphertext block Ct-i to the register unit 
204. When outputting the first ciphertext block Co to the 
20 decrypting unit 200, the block dividing unit 2 08 does not 
output any data to the register unit 204. 

On completing the output of all of the ciphertext 
blocks, the block dividing unit 208 outputs information 
showing the completion of output to the block combining 
25 unit 209. 
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(2) Decrypting Unit 200 

The decrypting unit 200 uses the data decryption part 
of a FEAL encryption method. 

The decrypting unit 200 includes first to sixteenth 

5 decrypting units (not illustrated) . 

The first decrypting unit receives a ciphertext block 
Ct from the block dividing unit 208 and first subkey data 
SKO from the subkey data generating unit 201, The first 
subkey data SKO is 32 bits long. The first decrypting unit 

10 decrypts the received ciphertext block Ct using the first 
subkey data SKO and so generates a first intermediate block. 
The first decrypting unit outputs this first intermediate 
block to the second decrypting unit. 

The second to fifteenth decrypting units 

15 respectively receive a first to fourteenth intermediate 
block from a preceding decrypting unit out of the first 
to fourteenth decrypting units in addition to 
corresponding subkey data out of the second to fifteenth 
subkey data SKi to SK14 from the subkey data generating unit 

20 201. Each of the second to fifteenth subkey data SKi to 
SK14 is 32 bits long. The second to fifteenth decrypting 
units respectively decrypt the first to fourteenth 
intermediate blocks using the second to fifteenth subkey 
data SKi to SK14 to generate the second to fifteenth 

25 intermediate blocks which are outputted to the third to 
sixteenth decrypting units. 

The sixteenth decrypting unit receives the fifteenth 
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intermediate block from the fifteenth decrypting unit and 
the sixteenth subkey data SK15 from the subkey data 
generating unit 201. This sixteenth subkey data SK15 is 
32 bits long. The sixteenth decrypting unit decrypts the 
fifteenth intermediate block using the sixteenth subkey 
data SK15 to generate the plaintext block Df 

Equation 14 

Dt=Dec(Ct/SKlt) 

Here, Dec(Ct/SKlt) represents the decrypting of the 
ciphertext Ct using the set SKlt (SKq to SK15) of subkey data 
that is generated during the t^^ decryption process. 

The sixteenth decrypting unit outputs the plaintext 
block Dt it generates to the block combining unit 209. 

After outputting the generated plaintext block Dt to 
the block combining unit 209, the encrypting unit 100 
outputs the completion information, which shows that the 
decrypting of one ciphertext block has been completed, to 
the counter unit 205. 

(3) Counter Unit 205 

The counter unit 205 receives completion information 
showing that the decrypting of one ciphertext block has 
been completed by the decrypting unit 200. On receiving 
this information, the counter unit 205 adds "1" to the count 
value . 
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(4) Register Unit 204 

The register unit 204 is equipped with regions for 
storing a 64--bit initial value IV and 64-bit stored data. 
5 In an initial state, the 64-bit stored data is set at the 
initial value IV. 

The register unit 204 receives the previous 
ciphertext block Ct-i from the block dividing unit 208. 

The register unit 204 receives a control signal from 
10 the register control unit 207. When the received control 
signal is "0", and the register unit 204 has received a 
ciphertext block Ct-i from the block dividing unit 208, the 
^ register unit 204 stores received ciphertext block Ct-i as 

^ the stored data after the decrypting unit 200 outputs the 

15 plaintext block Dt-i at the end of the data decrypting 
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process for the current ciphertext block. When the 
control signal is "1", the register unit 204 reads the 
initial value IV and stores it as the stored data. 

Putting this another way, when decrypting the (T*n)^^ 

20 ciphertext block (where n=0,l,2, ...), the register unit 
204 initializes the stored value using the initial value 
IV that is set in advance . In all other cases , the register 
unit 204 stores the preceding ciphertext block Cfi. As 
mentioned before, the value "T" is a value indicating a 

25 predetermined cycle. 



32 



• 



(5) Block Combining Unit 209 

The block combining unit 209 sequentially receives 
the plaintext blocks Dt from the decrypting unit 200 and 
receives information showing the completion of output from 
5 the block dividing unit 208. 

On receiving information showing the completion of 
output, the block combining unit 209 combines the received 
plaintext blocks Dt (t=0, 1,2, . . . . ) in the order it received 
them to generate the plaintext data D. The block combining 

^ 10 unit 109 outputs this plaintext data D to the decrypted 

gl 
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data storing unit 22. 

(6) Data Converting Unit 203 

The data converting unit 203 reads the 64-bit stored 
15 data from the register unit 204. On decrypting the t^^ 
ciphertext block Ct, the encrypting unit 100 reads the 
64-bit stored data Rlt shown below. 

Equation 8 
20 When t#T*k(k=0,l, ...) 

Rlt=Ct-i 

Equation 9 

When t=T*k (k=0, 1, . . . ) 
25 Rlt=IV 
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The data converting unit 203 next subjects the stored 
data Rlt it has read to a predetermined data conversion 
f to generate Slf 

Equation 10 

Slt=f (Rlt) 

Here, f (X) represents the value generated when the 
data converting unit 203 subjects the input data X to the 
data conversion f . 

(7) Logical XOR Unit 202 

The logical XOR unit 202 receives the 64-bit data Sit 
from the logical XOR unit 202 and generates the input key 
data IKlf 

Equation 11 

IKlt =Slt(+)EK 

(8) Subkey Data Generating Unit 201 

The subkey data generating unit 201 generates sixteen 
sets of 32-bit subkey data (the first to sixteenth subkey 
data SKo to SK15) . 

Equation 12 

When t?tT*k (k=0, 1, ...) 

SKlt=KGB(IKlt) 
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Here, KGB(X) represents the sixteen sets of subkey 
data that are generated by the type B subkey generating 
process using the input key data X, These sixteen sets 
of subkey data are composed of two types of subkey data. 

Equation 13 

When t=T*k(k=0,l, 

SKlt=KGA(IKlt) 

Here, KGA(X) represents the sixteen sets of subkey 
data that are generated by the type A subkey generating 
process using the input key data X. These sixteen sets 
of subkey data each differ from one another. 

2 . Operation of the Encrypted Communication System 5 

The following describes the operation of the 
encrypted communication system 5. 

2 . 1 Operation of the Transmission Apparatus 1 

The following describes the operation of the 
transmission apparatus 1. 

(1) Overall Operation of the Transmission Apparatus 1 

The following describes the overall operation of the 
transmission apparatus 1 with reference to the flowchart 
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shown in FIG. 8. 

The counter unit 105 sets the count value at "0", the 
register unit 104 sets the stored data at the initial value 
IV, and the block dividing unit 108 reads the plaintext 
5 data from the plaintext data storing unit 12 (step SlOl) . 
The key obtaining unit 110 reads the encryption key data 
from the encryption key data storing unit 13 and writes 
the read encryption key data into the key storing unit 111 
(step S102) . The block dividing unit 108 divides the read 

^ 10 plaintext data into a plurality of plaintext blocks (step 

01 

y S103) . 

ffi 

fft The block dividing unit 108 outputs each plaintext 

S block to the encrypting unit 100. The encrypting unit 100 

L receives a plaintext block from the block dividing unit 

15 108, encrypts the plaintext block to generate a ciphertext 
2 block, and outputs the generated ciphertext block to the 

O block combining unit 109 (step S104) . When all of the 

plaintext blocks have not been encrypted (step S105:No) , 
the processing returns to S104. 
20 On completing the output of all of the plaintext 

blocks (S105:Yes), the block dividing unit 108 outputs 
information showing the completion of output to the block 
combining unit 109. The block combining unit 109 combines 
all of the ciphertext blocks it has received in order to 
25 generate the ciphertext data which it outputs to the 
transmitting unit 11 (step S106) . 

The transmitting unit 11 receives the ciphertext data 
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and subjects the received ciphertext data to a 
parallel-to-serial conversion, modulation, and 
amplification to generate signals. The transmitting unit 
11 transmits these signals to the reception apparatus 2 
via the transfer path 3 (step S107) . 

(2) Operation of the Data Encrypting Unit 10 

The following describes the operation of the data 
encrypting unit 10 with reference to the flowchart in FIG. 
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The data converting unit 103 first reads the 64-bit 
stored data from the register unit 104 (step S121) , 
subjects the read data to a predetermined data conversion, 
and outputs the resulting 64-bit data to the logical XOR 

15 unit 102 (step S122) . 

The logical XOR unit 102 receives the 64-bit data from 
the data converting unit 103, reads the encryption key data 
from the key storing unit 111, takes a logical XOR for 
corresponding bits in the received 64-bit data and the read 

20 encryption key data to generate 64-bit input key data . The 
logical XOR unit 102 outputs the generated input key data 
to the subkey data generating unit 101 (step S123) . 

The subkey data generating unit 101 generates a 
plurality of sets of subkey data using the input key data 

25 and outputs each generated set of subkey data to a different 
encrypting unit in the first to sixteen encrypting units 
in the encrypting unit 100 (step S124) . 
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The encrypting unit 100 receives a plaintext block 
from the block dividing unit 108 (step S125) , encrypts the 
plaintext block using the plurality of sets of subkey data 
and so generates a ciphertext block (step S126) . The 
5 counter unit 105 adds "1" to the count value (step S127) . 
The encrypting unit 100 outputs the ciphertext block to 
the block combining unit 109 (step S128) . 

The subkey data generation control unit 106 reads the 
count value from the counter unit 105 . When the count value 
10 is "0" (step S141:Yes) ^ the subkey data generation control 
unit 106 outputs a control signal with the value "1" to 
the subkey data generating unit 101 (step S143) • 

^ Conversely^ when the count value is not "0" (step S141:No) , 

y 

^ the subkey data generation control unit 106 outputs a 

Q 

m 15 control signal with the value "0" to the subkey data 
m generating unit 101 (step S142) . 

p The register control unit 107 also reads the count 

value of the counter unit 105. When the count value is 
"0" (step S151:Yes) ^ the register control unit 107 outputs 
20 a control signal with the value "1" to the register unit 
104 (step S153) . Conversely, when the count value is not 
"0" (step S151:No), the register control unit 107 outputs 
a control signal with the value "0" to the register unit 
104 (step S152) . 
25 The register unit 104 stores a value in accordance 

with the control signal received from the register control 
unit 107 (step S161) . 
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(3) Operation of the Counter Unit 105 

The following describes the operation of the counter 
unit 105 with reference to the flowchart shown in FIG. 10. 
5 On receiving a completion signal from the encrypting 

unit 100 showing that the encryption of one plaintext block 
has been completed, the counter unit 105 adds "1" to the 
count value (step S181) . When the count value reaches 2^° 
(step S182 : Yes) the counter unit 105 resets the count value 
3 10 to "0" (step S183) • 

m 
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(4) Operation of the Register Unit 104 

The following describes the operation of the register 
unit 104 with reference to the flowchart in FIG. 11. 

15 The register unit 104 receives a control signal from 

the register control unit 107. When the received control 
signal is "0" (step S201:"=0") and a ciphertext block is 
received from the sixteenth encrypting unit lOOd, the 
register unit 104 stores this ciphertext block as the 

20 stored data (step S202) . When the received control signal 
is "1" (step S201:" = l"), the register unit 104 reads the 
initial value IV and stores the initial value as the stored 
data (step S203) . 

25 (5) Operation of the Subkey Data Generating Unit 101 

The following describes the operation of the subkey 
data generating unit 101 with reference to the flowcharts 



39 

\ 



in FIGS. 12 and 13. 

The number of stages control unit 303 of the subkey 
data generating unit 101 receives a control signal from 
the subkey data generation control unit 106. When the 
received control signal is "1" (step S221 : "=1" ) , the number 
of stages control unit 303 sets the maximum number at 16 
(step S223) , while when the received control signal is "0" 
(step S221:"=0")/ the number of stages control unit 303 
sets the maximum number at 2 (step S222) . On receiving 
the control signal, the number of stages control unit 303 
also sets the iteration number "i" at "0" (step S224) . 

The number of stages control unit 303 receives either 
input key data or randomized data. In the first iteration 
(step S225:Yes), the number of stages control unit 303 
outputs the input key data to the data randomizing unit 
301 (step S227) . In the second and following iterations 
(step S225:No), the number of stages control unit 303 
outputs the randomized data to the data randomizing unit 
301 (step S226) . 

The data randomizing unit 301 performs a data 
randomizing process and so generates the subkey data and 
randomized data (step S228) . The randomized data storing 
unit 302 stores the subkey data (step S229) . Next, the 
number of stages control unit 303 adds "1" to the value 
of the iteration number i (step S230) and compares the 
resulting iteration number with the maximum number. When 
the iteration number is below the maximum number (step 
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S231:Yes), the processing returns to step S225 and the 
above procedure is repeated. 

When the iteration number is at least equal to the 
maximum number (step S231:Yes), the repeated processing 
is completed. The randomized data storing unit 302 then 
receives a control signal from the subkey data generation 
control unit 106. When the received control signal is "1" 
(step S232), the randomized data storing unit 302 reads 
the stored sets of subkey data SKq to SK15 and outputs the 
read sets of subkey data SKq to SK15 to the first to sixteen 
encrypting units (step S235) . 

When the received control signal is "0" (step S232) , 
the randomized data storing unit 302 reads the stored sets 
of subkey data SKq and SKi, sets SKi4=SKi2=SKio=SK8 
=SK6=SK4=SK2=SKo and SKi5=SKi3=SKii=SK9=SK7=SK5=SK3=SKi, and 
outputs the sets of subkey data SKq to SK15 to the first 
to sixteenth encrypting units (steps S233 and S234) . 

(6) Operation of the Data Randomizing Unit 301 

The following describes the operation of the data 
randomizing unit 301 with reference to the flowchart in 
FIG. 14. 

The separating unit 301a receives 64-bit data from 
the number of stages control unit 303 and separates the 
received 64-bit data to generate the upper 32-bit data Al 
and the lower 32-bit data AO. The separating unit 301a 
outputs the data Al to the logical XOR unit 301b and the 
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data jumbling unit 301c, and outputs the data AO to the 
combining unit 301d and the data jumbling unit 301c (step 
S251) . 

The data jumbling unit 301c receives the data AO and 
5 the data Al from the separating unit 301a, takes a logical 
XOR for corresponding bits in the data AO and the data Al 
to generate 32-bit data, and separates this 32-bit data 
into four sets of 8-bit data. The data jumbling unit 301c 
then performs a predetermined substitution on each set of 
10 8-bit data and combines the resulting sets of modified 
8-bit data to generate a new set of 32-bit data. The data 
jumbling unit 301c also replaces predetermined bits in the 
32-bit data with other bits to generate the 32-bit data 
CI which it outputs to the logical XOR unit 301b (step 
B 15 S252) . 

pes 

m The logical XOR unit 301b receives the data AO from 

O 

□ the separating unit 301a and the 32-bit data CI from the 

data jumbling unit 301c and takes a logical XOR for 
corresponding bits in the data AO and the data CI to 
20 generate the subkey data BO. The logical XOR unit 301b 
outputs this subkey data BO to the randomized data storing 
unit 302 and the combining unit 301d (step S253) . 

The combining unit 301d receives the data AO from the 
separating unit 301a and the subkey data BO from the logical 
25 XOR unit 301b. The combining unit 301d combines the data 
AO and the subkey data BO with the data AO as the upper 
bits and the subkey data BO as the lower bits to generate 
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64-bit randomized data. The combining unit 301d outputs 
this 64-bit randomized data to the number of stages control 
unit 303 (step S254) . 

2.2 Operation of the Reception Apparatus 2 

The following describes the operation of the 
reception apparatus 2 . 

(1) Overall Operation of the Reception Apparatus 2 

The overall operation of the reception apparatus 2 
is similar to the operation of the transmission apparatus 
1, and so will also be explained with reference to the 
flowchart shown in FIG. 8. 

The receiving unit 21 of the reception apparatus 2 
receives signals from the transmitting unit 11 of the 
transmission apparatus 1 via the transfer path 3. The 
receiving unit 21 subjects the received signals to 
demodulation and serial-to-parallel conversion to 
generate a ciphertext. The counter unit 205 sets the count 
value at "0", and the register unit 204 sets the stored 
data at the initial value IV. The block dividing unit 208 
receives the ciphertext data from the receiving unit 21 
(this corresponds to step SlOl) , and the key obtaining unit 
210 reads the encryption key data from the encryption key 
data storing unit 23 and writes it into the key storing 
unit 211 (this corresponds to step S102) . The block 
dividing unit 208 divides the ciphertext data into a 
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plurality of ciphertext blocks (this corresponds to step 
S103) . 

The block dividing unit 208 outputs each ciphertext 
block to the decrypting unit 200. The decrypting unit 200 
5 receives a ciphertext block from the block dividing unit 
208, decrypts the received ciphertext block to generate 
a plaintext block, and outputs the resulting plaintext 
block to the block combining unit 209 (this corresponds 
to step S104) . When the decrypting unit 200 has not 

I J 

3 10 completed the decryption of all of the ciphertext blocks 
y (this corresponds to S105:No), the decrypting process is 

^ repeated. 

When the outputting of all of the ciphertext blocks 
is complete (this corresponds to S105:Yes), the block 
15 dividing unit 208 outputs information showing the 
^ completion of output to the block combining unit 209. The 

block combining unit 209 combines all of the plaintext 
blocks it has received in order to generate plaintext data 
(this corresponds to step S106) , and writes the generated 
20 plaintext data into the decrypted data storing unit 22 
(this corresponds to step S107) . 

(2) Operation of the Data Decrypting Unit 20 

The operation of the data decrypting unit 20 is 
25 similar to that of the data encrypting unit 10 and so is 
explained with reference to the flowchart in FIG. 9. 

The data converting unit 203 reads the 64-bit stored 
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data from the register unit 204 (this corresponds to step 
S121) , perforins a predetermined data conversion on the 
stored data, and outputs the converted 64-bit data to the 
logical XOR unit 202 (this corresponds to step S122) . 
5 The logical XOR unit 202 receives 64-bit data from 

the data converting unit 203, reads the encryption key data 
from the key storing unit 211, and takes a logical XOR for 
corresponding bits in the 64-bit data and encryption key 
data to generate 64-bit input key data. The logical XOR 

O 

£i 10 unit 202 outputs this input key data to the subkey data 
bj generating unit 201 (this corresponds to step S123) . 

m The subkey data generating unit 201 generates a 

plurality of sets of subkey data using the input key data 
L and outputs each generated set of subkey data to a different 

^ 15 decrypting unit in the first to sixteenth decrypting units 
2 of the decrypting unit 200 (this corresponds to step S124) . 

: : 

B The decrypting unit 200 receives a ciphertext block 

from the block dividing unit 208 (this corresponds to step 
S125), decrypts the ciphertext block using the plurality 

20 of sets of subkey data, and so generates a plaintext block 
(this corresponds to step S126) • The counter unit 205 
increments the count value (this corresponds to step S127) . 
The decrypting unit 200 outputs the resulting plaintext 
block to the block combining unit 209 (this corresponds 

25 to step S128) • 

The operation of the subkey data generation control 
unit 20 6 is the same as the operation of the subkey data 
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generation control unit 10 6 that is shown in steps S141 
to S143 of the flowchart in FIG, 9, and so will not be 
explained. 

The operation of the register control unit 207 is the 
same as the operation of the register control unit 107 that 
is shown in steps S151 to S153 of the flowchart in FIG, 
9, and so will not be explained. 

The register unit 204 stores a value in accordance 
with the control value it receives from the register 
control unit 207 (this is the same as step S161 in the 
flowchart in FIG, 9) . 

(3) Operation of the Counter Unit 205 

The operation of the counter unit 205 is similar to 
that of the counter unit 105 and so is explained with 
reference to the flowchart in FIG. 10. 

On receiving completion information from the 
decrypting unit 200 showing that it has completed the 
decrypting of one ciphertext block, the counter unit 205 
adds one to the count value (this corresponds to step S181) . 
When this addition results in the count value reaching 2^° 
(this corresponds to S181 :Yes) , the counter unit 205 resets 
the count value to zero (this corresponds to step S183) . 

(4) Operation of Register Unit 204 

The operation of the register unit 204 is similar to 
that of the counter unit 105 and so is explained with 
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reference to the flowchart in FIG. 11. 

The register unit 204 receives a control signal from 
the register control unit 207. When the received control 
signal is "0" (step S201:Yes) and a previous ciphertext 
block is received from the block dividing unit 208, the 
register unit 204 stores this ciphertext block as the 
stored data (this corresponds to step S202) . When the 
received control signal is "1" (this corresponds to step 
S201:No), the register unit 204 reads the initial value 
IV and stores the initial value IV as the stored data (this 
corresponds to step S203) . 

(5) Operation of the Subkey Data Generating Unit 201 

The operation of the subkey data generating unit 2 01 
is similar to that of the subkey data generating unit 101, 
so that the following description will focus on the 
differences with the procedure in the flowcharts shown in 
FIGS. 12 and 13. 

In step S235, the randomized data storing unit 302 
reads the stored subkey data SKq to SK15 and outputs the 
respective sets of subkey data SKq to SK15 to the 
corresponding first to sixteenth decrypting units in the 
decrypting unit 200. 

In steps S233 and S234, the randomized data storing 
unit 302 reads the stored subkey data SKq and SKi, sets 
SKi4=SKi2=SKio~SK8=SK6=SK4=SK2=SKo and 
SKi5=SKi3=SKii=SK9=SK7=SK5-=SK3=SKi, and outputs the 
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respective sets of subkey data SKq to SK15 to the 
corresponding first to sixteenth decrypting units in the 
decrypting unit 200. 

(6) Operation of the Data Randomizing Unit 301 

The operation of the data randomizing unit 301 in the 
subkey data generating unit 201 is the same as the operation 
of the data randomizing unit 301 in the subkey data 
generating unit 101 that was described using FIG. 14. No 
further explanation will be given. 

3 . Correspondence between the Plaintext and Decrypted Text 

The ciphertext blocks Co^ Ci, . . . are obtained when 
the data encrypting unit 10 encrypts the plaintext block 
sequence Pq/ Pi, . . . using the 64-bit encryption key data. 
These ciphertext blocks are decrypted by the data 
decrypting unit 20 using the same 64-bit encryption key 
data to generate the plaintext block sequence Do, Di, .... 
that is the same as the plaintext block sequence Pq, Pi, . • . . 
This is shown in more detail below. 

Equation 15 is found from Equations 1 and 2 and 
Equations 8 and 9. 

Equation 15 

ROt=Rlt (t=0,l, ...) 



48 



Equation 16 is found from Equation 15 and Equations 

3 and 10. 

Equation 16 

SOt=Slt (t=0,l, ...) 

Equation 17 is found from Equation 16 and Equations 

4 and 11. 

Equation 17 

IKOt =IKlt (t-0, 1, • . . ) 

Therefore, Equation 18 is given by Equations 17 and 

5 and Equations 12 and 13. 

Equation 18 

SKOt=SKlt (t=0,l...) 
Equation 19 is found from Equations 7 and 14. 
Equation 19 

Dt=Dec (Enc (Pt. SKOt) / SKlt) 

{t=0,l, . . .) 

The following relationship (Equation 20) is formed 
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for any 64-bit data oc,^ in the functions Enc and Dec, 
Equation 20 

a=Dec (Enc (a^ (3) , p) 

Therefore, from Equations 19, 20, and 18 

Dt=Pt 

4. Evaluation of Security and Encryption Processing Speed 

(1) Security 

In the present embodiment, the encryption of a t^^ 
(where t#2^°*k (k=0, !,,•.)) plaintext block is performed 
using sixteen sets of 32-bit subkey data SKq, . . . , SK15 that 
are inputted into the encrypting unit 100. As described 
earlier, these sets of subkey data are generated so that 
SKo=SK2=SK4 .... =Si4 and SKi^SKa-SKs .... =815, so that 
security against known plaintext attacks is not as high 
as the conventional method where each set of subkey data 
is different . 

However, the input key data IKOt used to encrypt these 
plaintext blocks is set so that 

IKOt=EK( + )Ct-i 

As there are 2^^ potential values of Ct-i, it is 
practically impossible to obtain a large number of 
plaintext blocks that have been encrypted using the same 
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IKOf This makes the present method secure against known 
plaintext attacks . 

The encryption of a t^^ (where t=2^°*k (k=0,l,...)) 
plaintext block is also performed using sixteen sets of 
32-bit subkey data SKq, .../ SK15 that are inputted into 
the encrypting unit 100, As described earlier, each of 
these sets of subkey data is different, so that security 
against known plaintext attacks is the same as with the 
stated conventional method. 

(2) Encryption Processing Speed 

The following describes the encryption processing 
speed of the data encrypting unit 10. 

When a t^^ (where t?^^2^°*k (k=0,l,...)) plaintext 
blocks Pt is encrypted, the subkey data generating unit 
101 performs a simple process that generates sixteen sets 
of 32-bit subkey data by generating what are effectively 
only two 32-bit sets of subkey data. This means that the 
generation of subkey data for each block has a lesser effect 
on the encryption processing speed that the stated 
conventional method. 

5. Other Modifications 

While the present invention has been explained by way 
of the embodiments given above, it should be obvious that 
the invention is not limited to the details given therein. 
Several modifications are possible, with representative 
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examples being given below. 

(1) In the above embodiment, the logical XOR unit 102 (202) 
is described as a data merging means that takes an XOR for 
each bit in the 64-bit data generated by the data converting 
unit 103 (203) and the encryption data. However the same 
effect can be achieved even if an XOR is not taken for every 
bit position. 

(2) In the above embodiment, the data converting unit 103 
(203) is described as outputting 64-bit converted data, 
though such data does not need to be 64 bits long. As one 
example, when the encryption key data is 56 bits long, a 
data converting unit that outputs 56-bit data may be used. 

(3) In the above embodiment, the register unit 104 (204) 
receives an input of ciphertext data generated in the 
immediately preceding encryption process, though the 
64-bit value obtained during the immediately preceding 
encryption process may be used. As one example, the first 
or second intermediate block generated during the 
encryption process may be used. The data used does not 
need to be 64 bits long, so that shorter data, such as a 
40-bit value, may be used. 

The following describes one possible arrangement 
when 40-bit data is used. The data converting unit 103 
(203) receives the 40-bit data and converts the data to 
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generate new 40-bit data. The key storing unit 111 stores 
40-bit encryption key data. The logical XOR unit 102 takes 
a logical XOR for corresponding bits in the new 40-bit data 
and the 40-bit encryption key data to generate 40-bit input 
key data. The subkey data generating unit 101 generates 
sixteen sets of 20-bit subkey data which are used during 
encryption by the first to sixteenth encrypting units of 
the encrypting unit 100. 

(4) In the above embodiment, the encrypting unit 100 uses 
a FEAL method, though any block encryption method may be 
used. As one example, DES (Data Encryption Standard) may 
be used. 

The subkey data generating unit 101 is not limited 
to having the construction described above. As one 
example, the subkey data generating unit 101 may generate 
sixteen sets of 32-bit subkey data from 64-bit input key 
data . 

(5) The present invention is not limited to a construction 
where the subkey data generating unit 101 uses two types 
of encryption processing where random numbers are 
generated using different processing loads. Any 
arrangement may be used, so long as the encryption 
processing used when the control signal "1" is inputted 
has a heavier load than the encryption processing used when 
the control signal "0" is inputted. 
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As one example, instead of generating two sets of 
subkey data, the subkey data generating unit may generate 
different data for the first 16 bits of each of the sixteen 
sets of subkey data and then generate the latter 16 bits 
5 of each set of subkey data based on the corresponding former 
16 bits. Such processing will reduce the processing load 
of key generation in the same way as described above. 

Instead of generating two sets of subkey data, the 
subkey data generating unit may generate three, four, five, 

O 

^ 10 or any other number up to fifteen sets of subkey data, with 

oi 

bj the first to sixteen encrypting units each using one of 

pi the generated sets of subkey data. 

S ! 

^ (6) The counter unit 105 (205) resets the count value to 

rf 15 "0" when it reaches "2^ -1", although the invention is not 
£ limited to using "2^°-l" as the upper limit for the count 

O value. Any positive integer may be used. The count value 

also does not need to be reset to "0". 

In the above embodiments, the apparatuses are 
20 described as internally storing 64-bit encryption key data. 
However, the apparatuses may instead only store 64-bit 
encryption key data that is used the first time encryption 
is performed, with the input key data that is used when 
encrypting each of the other plaintext blocks being 
25 encrypted and transferred with the plaintext blocks . When 
updating the input key data, public key encryption, such 
as the Dif f ie-Hellman method, may be used to distribute 
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the input key data to the apparatuses that are to perform 
communication . 

(7) The present invention also applies to the method used 
by the apparatuses described above. This method may be 
realized by computer programs that are executed by 
computers. Such computer programs may be distributed as 
digital signals . 

The present invention may be realized by a 
computer-readable storage medium, such as a floppy disk, 
a hard disk, a CD-ROM (Compact Disc-Read Only Memory) , an 
MO (magneto-optical) disc, a DVD (Digital Versatile Disc) , 
a DVD-ROM, a DVD-RAM, or a semiconductor memory, on which 
computer programs and/or digital signals mentioned above 
are recorded. Conversely, the present invention may also 
be realized by a computer program and/or digital signal 
that is recorded on a storage medium. 

Computer programs or digital signals that achieve the 
present invention may also be transmitted via a network, 
such as an electronic communication network, a wired or 
wireless communication network, or the Internet. 

The present invention can also be realized by a 
computer system that includes a microprocessor and a memory. 
In this case, a computer program can be stored in the memory, 
with the microprocessor operating in accordance with this 
computer program. 

The computer programs and/or digital signals may be 
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provided to an independent computer system by distributing 
a storage medium on which the computer programs and/or 
digital signals are recorded, or by transmitting the 
computer programs and/or digital signals via a network. 
The independent computer may then execute the computer 
programs and/or digital signals to function as the present 
invention . 

(8) The limitations described in the embodiment and the 
modifications may be freely combined. 

Although the present invention has been fully 
described by way of examples with reference to the 
accompanying drawings, it is to be noted that various 
changes and modifications will be apparent to those skilled 
in the art. Therefore, unless such changes and 
modifications depart from the scope of the present 
invention, they should be construed as being included 
therein . 
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